The implications of GDPR for small businesses

Petersfield, Hampshire, UK 23 August 2017

Really Simple Systems’ CEO, John Paterson, looks at how the new General Data Protection Regulation (GDPR) will affect small businesses

New EU data protection legislation is due to be implemented next year yet there’s a lot of uncertainty around how this will affect businesses. Really Simple Systems CEO, John Paterson, considers the implications for small businesses and what can be done to prepare for the change.

Understanding GDPRAs a cloud CRM vendor, Really Simple Systems CEO, John Paterson, has a vested interest in data security. Like other IT business owners, his livelihood depends upon ensuring his client’s data secure. However, the looming deadline of European Union’s (EU) new General Data Protection Regulation (GDPR) has turned data protection on its head and his business, like every other, needs to make decisive changes to guarantee compliance.

GDPR is new data protection legislation that is due to come into force on 25th May 2018. The legislation gives control back to the individual who can challenge anyone holding their personal information. Compliance will be mandatory for all businesses, no matter their size, location or industry, who hold data on EU nationals. This makes it important for any business who has customers or contacts in the EU to make sure they understand the changes and implement the regulations before GDPR comes into force next year.

Paterson comments “There are two keys things that small businesses need to do to prepare for GDPR. Firstly, familiarise themselves with the regulations and what they need to have in place beforehand. Secondly, they need to start collecting email consents now from new prospects, and working on getting consents from their existing database before the deadline, because after that they won’t be able to email them.”

He continues “This is the biggest marketing and compliance challenge businesses have faced for some time yet there is a lot of uncertainty around what exactly GDPR entails. One major area of confusion is how GDPR interplays with the forthcoming changes to the Privacy in Electronic Communications (PECR) legislation, and whether B2B marketing will be treated as different from B2C.”

GDPR is good news for individualsDifficulties on how businesses will implement and comply with GDPR have been much debated alongside concerns about the hefty fines should a company break the ruling. For most small businesses suggested fines of 4% of global turnover or 20 Million euros are scary numbers.

But for individuals, GDPR brings welcomed new regulation. The aim of the legislation is to allow the EU to take a much stronger stance on protecting the personal data of its people, giving more visibility of what information companies are collecting about them. And even more importantly, providing transparency of what companies are doing with that information. Paterson adds “Modern technology has moved on leaps and bounds since the last update to the data protection regulations and GDPR is the European Union’s way of catching up with how companies are currently collecting and storing data on people.” The EU is also extending the ‘right to be forgotten’ clause to a ‘right to erasure’ which means that EU citizens would be able to request search sites to delete text or images that might be embarrassing or damaging to their reputation.

Importance of GDPRLiving in the digital era means that so much of our daily activity is now carried out online. Being able to pay bills and order groceries online might seem convenient but it’s not without its risks. Cybercrime is on the rise and hackers are looking for new opportunities to get a hold of personal data. The ransomware attack of a few months ago that affected the NHS is just one example of this. In general, there is a lack of knowledge on how data security works or even why it’s important to keep up with computer updates and the likes.

Under GDPR, companies will have to ensure they have explicit consent to store a customer’s data and they will need to inform the customers directly should their security be breached. Internet consumers need to be clued up on the risk of giving their personal data online and GDPR gives people further power to dictate what data they want to share.

Consequences for small businessesSmall businesses could be considered more vulnerable targets to cyber-attacks. “In many instances, small business owners don’t realise what data they are holding on their customers” continues Paterson. “They might not discover there has been a breach of data until it’s too late. Making sure your team is aware of data protection law will help identify situations where there could be a problem and will ensure the data is handled correctly.”

Under GDPR, companies are obligated to report a breach to the regulatory body within 72 hours unless exceptional circumstances apply. Paterson suggests, with this short time frame, the only way many small businesses will be able to comply will be if they have prepared for a breach in advance. He says practising for a possible data breach will help make sure businesses have identified their weak spots and can prepare for the worst.

Making sure customer data is kept secure is good practice and can also lead to better customer retention as more and more consumers become aware of just how important data protection is. Paterson challenges that some large organisations might start considering small business a weak link in their distribution channels unless they can prove they are able to comply fully with GDPR. He says “If not, you might find larger organisations will look to break links with their smaller business partners and bring those capabilities in-house”.

Impact of BrexitWhen it comes to the current Brexit negotiations, few things seem straight forward. What is known is that UK will still be a part of the EU when GDPR comes into effect which means all UK businesses will be required to comply. It’s also important to remember that GDPR applies to anyone holding the data of EU citizens. Any business holding contact information and doing business with other EU members will need to be GDPR compliant even if that business is located outside of the EU.

“GDPR is about data protection catching up with technology to protect individuals from having their data leaked or misused” says Paterson. “It’s likely the UK would adopt similar rules to GDPR, post-Brexit.” As the world becomes increasingly digital it makes sense for governments to start imposing stricter rules with the aim of keeping their citizens safe from cybercrime and data leaks.

“An implication of GDPR for any company using software like CRM or email marketing will be the location of where the software vendor is storing their company data. Many of the big names, like Salesforce, are US based and do not even comply with current EU data protection law at present.”

Really Simple Systems and GDPR

John Paterson concludes “Despite the lack of clarity around the bill, Really Simple Systems is erring on caution and making sure our processes cover all the likely scenarios that GDPR may impact on. As a UK based company, we are bound by the legislation so all our customers’ data is held in the UK and we will make any necessary changes post-Brexit. We are also looking to develop our CRM so it will help our customers be compliant in collecting and storing data.”